From f78dd677e991ba8f76f3a6d4272ff5deef3faa69 Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Mon, 15 Jun 2015 15:16:09 -0700 Subject: Fix Android Keystore key gen for keys requiring user auth. When Android Keystore generates an asymmetric key pair, it needs to create a self-signed certificate for that pair, in order to expose the key pair in the JCA KeyStore abstraction through which keys are later retrieved. The self-signed certificate is normally signed with the private key. This CL avoids using the private key to sign the certificate if the private key can be used only once the user has been authenticated. For such keys, a fake (non-verifying) signature is used on the certificate, same as for cases where the key is not authorized for signing. Bug: 21852844 Change-Id: Id78bc1f51d12950db4e37c1e0da6c60057d4e693 --- .../security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'keystore') diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java index b93424d..2de60fd 100644 --- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java +++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyPairGeneratorSpi.java @@ -624,7 +624,7 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato int keySizeBits, KeyGenParameterSpec spec) { // Constraints: - // 1. Key must be authorized for signing. + // 1. Key must be authorized for signing without user authentication. // 2. Signature digest must be one of key's authorized digests. // 3. For RSA keys, the digest output size must not exceed modulus size minus space needed // for RSA PKCS#1 signature padding (about 29 bytes: minimum 10 bytes of padding + 15--19 @@ -636,6 +636,10 @@ public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGenerato // Key not authorized for signing return null; } + if (spec.isUserAuthenticationRequired()) { + // Key not authorized for use without user authentication + return null; + } if (!spec.isDigestsSpecified()) { // Key not authorized for any digests -- can't sign return null; -- cgit v1.1